QRadar Network Packet Capture Query Language (NTQL)

Use the QRadar® Network Packet Capture Query Language (NTQL) to retrieve data from packets that are captured.

For example, you can use NTQL for the following types of information:
  • IPv4 host addresses, as source, destination or either
  • IPv6 host addresses, as source, destination or either
  • TCP or UDP port numbers, as source, destination or either
  • Layer 3 protocol carried by Ethernet frames
  • Layer 4 protocol carried by IP packages
  • Combinations of these with logical and and or
Note: NTQL is case sensitive.

Matching everything

An empty NTQL string matches all packets, which is useful when the number of matches is limited.

Host address search

To search for packets sent to a specific host, enter the following string:
src host <IP address>
To search for packets sent from a host, enter the following string:
dst host <IP address>

Port number search

To search for packets that were sent to or from a TCP or UDP port, enter the following string:
port <number>
Packets that are sent by using protocols that have no port numbers are discarded by this search.
To narrow down the search results to packets that were sent from a specific port, enter the following string:
src port <number>
To search for packets that were sent to a specific port, enter the following string:
dst port <number>

Layer 3 protocol search

To search for packets that use a specific layer 3 protocol, enter the following string:
l3proto <protocol>
where <protocol> is either a protocol number or a name. These are the supported protocol names:
  • arp
  • ip
  • ip4
  • ip6
  • ipv4
  • ipv6
  • lldp
  • ptp
When ip is given as protocol, IPv4 is used.

Layer 4 protocol search

To search for packets that use a specific layer 4 protocol, enter the following string:
l4proto <protocol>
where <protocol> is either a protocol number or a name. These are the supported names:
  • 3pc
  • ah
  • argus
  • aris
  • ax.25
  • bbn-rcc-mon
  • bna
  • br-sat-mon
  • cbt
  • cftp
  • chaos
  • compaq-peer
  • cphb
  • cpnx
  • crtp
  • crudp
  • dccp
  • dcn-meas
  • ddp
  • ddx
  • dgp
  • egp
  • eigrp
  • emcon
  • encap
  • esp
  • etherip
  • fc
  • fire
  • ggp
  • gmtp
  • gre
  • hip
  • hmp
  • hopopt
  • i-nlsp
  • iatp
  • icmp
  • idpr
  • idpr-cmtp
  • idrp
  • ifmp
  • igmp
  • igp
  • il
  • ip-in-ip
  • ipcomp
  • ipcu
  • ipip
  • iplt
  • ippc
  • iptm
  • ipv6
  • ipv6-frag
  • ipv6-icmp
  • ipv6-nonxt
  • ipv6-opts
  • ipv6-route
  • ipx-in-ip
  • irtp
  • iso-ip
  • iso-tp4
  • kryptolan
  • l2tp
  • larp
  • leaf-1
  • leaf-2
  • manet
  • merit-inp
  • mfe-nsp
  • mhrp
  • micp
  • mobile
  • mobility-header
  • mpls-in-ip
  • mtp
  • mux
  • narp
  • netblt
  • nsfnet-igp
  • nvp-ii
  • ospf
  • pgm
  • pim
  • pipe
  • pnni
  • prm
  • ptp
  • pup
  • pvp
  • qnx
  • rdp
  • rohc
  • rsvp
  • rsvp-e2e-ignore
  • rvd
  • sat-expak
  • sat-mon
  • scc-sp
  • scps
  • sctp
  • sdrp
  • secure-vmtp
  • shim6
  • skip
  • sm
  • smp
  • snp
  • sprite-rpc
  • sps
  • srp
  • sscopmce
  • st
  • stp
  • sun-nd
  • swipe
  • tcf
  • tcp
  • tlsp
  • tp++
  • trunk-1
  • trunk-2
  • ttp
  • udp
  • udplite
  • uti
  • vines
  • visa
  • vmtp
  • vrrp
  • wb-expak
  • wb-mon
  • wesp
  • wsn
  • xnet
  • xns-idp
  • xtp

Combining search terms

These search terms can be combined into more complex expressions with and and or keywords. For example, to search for packets to or from 1.1.1.1 or 2.2.2.2, enter the following string:
host 1.1.1.1 or host 2.2.2.2
To search for packets that are both to and from 1.1.1.1 or 2.2.2.2, enter the following string:
host 1.1.1.1 and host 2.2.2.2
These keywords are left associative. For example, consider the following syntax:
port 42 and host 1.1.1.1 or host 2.2.2.2
The expression evaluates to the following:
  • sent to or from port 42 and to or from host 1.1.1.1, or
  • to or from host 2.2.2.2 without regard for the port numbers
You can change the left association by using parentheses, as shown in the following example:
port 42 and (host 1.1.1.1 or host 2.2.2.2)
The expression evaluates to find packets to or from port 42 that are to or from host 1.1.1.1 or 2.2.2.2.